トップ > Debian > OpenVPNサーバ側設定(4)クライアント証明書の生成

OpenVPNサーバ側設定(4)クライアント証明書の生成

Debian メモ Security

クライアントとしてMacとWinがある、とする。それぞれの名前はClientMac, ClientWinとしておく。
やはりこれもrootのままつづけていく。

debian:/etc/openvpn/easy-rsa# ./build-key-pass ClientMac(又はClientWin)
Generating a 1024 bit RSA private key
..............++++++
....................++++++
writing new private key to 'ClientMac.key'(又は'ClientWin.key')
Enter PEM pass phrase:(秘密鍵にアクセスするためのパスフレーズ。最短で4文字。変更可能らしいがよくわからん…)
Verifying - Enter PEM pass phrase:(同上)
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [**]:
State or Province Name (full name) [**]:
Locality Name (eg, city) [**]:
Organization Name (eg, company) [**]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:ClientMac(又はClientWin)
Email Address [**@**]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:(OpenVPNのクライアントモード起動時にパスワードをかける場合)
An optional company name []:(同上)
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'**'
stateOrProvinceName   :PRINTABLE:'**'
localityName          :PRINTABLE:'**'
organizationName      :PRINTABLE:'**'
commonName            :PRINTABLE:'ClientMac'(又は'ClientWin')
emailAddress          :IA5STRING:'**@**'
Certificate is to be certified until Jan 13 07:33:33 2018 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

このときのkeysディレクトリの中は

debian:/etc/openvpn/easy-rsa# ls -l keys
total 84
-rw-r--r-- 1 root root 3660 Jan 16 14:58 01.pem
-rw-r--r-- 1 root root 3554 Jan 16 16:32 02.pem
-rw-r--r-- 1 root root 3560 Jan 16 16:33 03.pem
-rw-r--r-- 1 root root 3560 Jan 16 16:33 ClientMac.crt(ClientMac証明書)
-rw-r--r-- 1 root root  737 Jan 16 16:33 ClientMac.csr
-rw------- 1 root root  963 Jan 16 16:33 ClientMac.key(ClientMac秘密鍵)
-rw-r--r-- 1 root root 1261 Jan 16 14:29 ca.crt(CA証明書)
-rw------- 1 root root  887 Jan 16 14:29 ca.key(CA秘密鍵)
-rw-r--r-- 1 root root  245 Jan 16 16:22 dh1024.pem(DHパラメータ)
-rw-r--r-- 1 root root  283 Jan 16 16:33 index.txt
-rw-r--r-- 1 root root   20 Jan 16 16:33 index.txt.attr
-rw-r--r-- 1 root root   20 Jan 16 16:32 index.txt.attr.old
-rw-r--r-- 1 root root  188 Jan 16 16:32 index.txt.old
-rw-r--r-- 1 root root 3554 Jan 16 16:32 ClientWin.crt(ClientWin証明書)
-rw-r--r-- 1 root root  729 Jan 16 16:31 ClientWin.csr
-rw------- 1 root root  963 Jan 16 16:31 ClientWin.key(ClientWin秘密鍵)
-rw-r--r-- 1 root root    3 Jan 16 16:33 serial
-rw-r--r-- 1 root root    3 Jan 16 16:32 serial.old
-rw-r--r-- 1 root root 3660 Jan 16 14:58 server.crt(サーバ証明書)
-rw-r--r-- 1 root root  672 Jan 16 14:57 server.csr
-rw------- 1 root root  891 Jan 16 14:57 server.key(サーバ秘密鍵)

となる。
ClientMacにはClientMac.crt, ClientMac.key、ClientWinにはClientWin.crt, ClientWin.keyをコピーする。またそれぞれにca.crtをコピーする。